1. Field of the Invention
The invention relates generally to the field of digital data processing systems, and more specifically to improved mechanisms for establishing protection domains for processes in such systems to permit sharing of such processes, and their data, while at the same time controlling potentially undesirable alteration of the shared processes and data.
2. Description of the Prior Art
A digital data processing system includes three basic elements, namely, a processor element, a memory element and an input/output element. The memory element stores information in addressable storage locations. This information includes data and instructions for processing the data. The processor element fetches information from the memory element, interprets the information as either an instruction or data, processes the data in accordance with the instructions, and returns the processed data to the memory element for storage therein. The input/output element, under control of the processor element, also communicates with the memory element to transfer information, including instructions and data to be processed, to the memory, and to obtain processed data from the memory.
Typically, an input/output element includes a number of diverse types of units, including video display terminals, printers, interfaces to the public telecommunications network, and secondary storage subsystems, including disk and tape storage devices. A video display terminal permits a user to run programs and input data and view processed data. A printer permits a user to obtain a processed data on paper. An interface to the public telecommunications network permits transfer of information over the public telecommunications network.
Since computer systems have been very expensive, they have been designed as multi-user systems to process programs of instructions for several users concurrently to allow the cost of the systems to be divided among a number of users. This provided a number of advantages. For example, in many circumstances, a processor may be waiting for the completion of an operation, such as a transfer of information to or from a disk or tape, before it can continue processing instructions in the program which required the transfer operation. In that case, the processor could process instructions forming portions of another program. In other circumstances, while a processor was waiting for input from an operator of data to be processed by one program, it would process portions of another program until the operator actually makes the input. Control programs, known as operating systems, were developed which facilitated concurrent use by a number of users, using a number of diverse programs, so that the expensive equipment was used as fully as possible.
Multi-user systems also provided a number of other benefits, most notably the sharing of data. Since a number of users were using the same system, they could share the same data. Thus, for example, various workers in a corporate accounting department may perform various data input functions while others may generate reports based on the same data, all at the same time. While the cost of computer systems has recently been reduced with the advent of computer workstations and personal computers, with each user effectively having his or her own computer, the desirability of allowing sharing of data has led to the implementations of networks allowing sharing through file and database servers.
A problem arises since it may be desirable for programs to share only part of the data, and that for only limited purposes. For example, some programs may need to permit others to read data for processing, but not alter it. This occurs, most notably, between the operating system programs and applications programs, since the operating system programs may generate tables which are used by the applications programs during processing; the applications programs must be able to read the tables, but they must be prevented from writing or adulterating the information in the tables or they may interfere with proper operation of the other applications programs which the computer system may be processing at the same time.
Similar problems also arise among applications programs. For example, programs in a computer system providing accounting may need to permit a number of programs to use original data to produce processed data, but to preclude any from altering the original data. If a program in the accounting system does erroneously alter the original data, it may prevent other programs from providing correct processed data.
Thus, protection systems have been developed to regulate the sharing of information, including programs and data, among the programs operating in the system. One typical form of protection provides a series of hierarchical protection layers or rings with varying privilege levels. Programs and their attendant data were allocated to one of the protection rings, with operating system programs being assigned to very high privilege levels and application programs to very low privilege levels. Thus, while the privileged operating system programs could access applications programs, the applications programs could not directly access the operating system programs or data. As a result, applications programs could not adulterate the operating system programs or data.
However, while such protection systems effectively isolate the applications programs from the operating system programs and data, they do not isolate the applications programs from each other. Thus, an applications program may not be able to regulate access by another applications program. More recently, other protection systems provide such regulation by means of "capabilities", in which a program can regulate access by either giving or not giving an access capability to another program. The other program can access the first program only if the first program gives it a capability. Thus, programs can regulate access by other programs by means of capabilities, even if they would otherwise operate at the same privilege level in a protection ring system.
While capability protection systems provide significant protection as among programs which would operate at the same privilege level, they require significant overhead. Each program in the capability system effectively operates in a separate protection domain. When a program operating in one domain needs to call a program operating in another domain, which it can do if it has a capability, the operating system must make a cross-domain call to the domain of the called program. In current capability protection systems, a cross-domain call requires significant processing by the operating system or by the processor's processing hardware to complete. Thus, while capability systems provide much better protection among programs in a digital data processing system, they can slow down processing significantly because of the time required for the cross-domain calls.
Two problems arise in connection with cross-domain calling operations in a capability system. First, a problem arises with ensuring that a capability given by a calling program to one called program is not inadvertently obtained by another program. In a prior capability system, namely the Intel 432, during every cross-domain call, the portions of memory containing capabilities which were being passed as arguments had to be cleared, which significantly increased the time required for a cross-domain call.
A second problem is to minimize the number of the processor's registers which have to be saved or cleared. As is typical, a calling program can pass arguments, that is, variable values, to a called program in registers, and the called program may provide result values in registers. Other registers, that is, those not used to pass variable values or results, may have been used by the calling program for storage of variable values which it used prior to the transfer of control to the called program, and which the calling program may need to use when the called program returns control to it. The called program may not, however, need to use all of the registers for its processing, and it would be extra, perhaps unnecessary, effort to save the contents all of these registers in memory if only some of the registers are to be used by the called program.
A further complication arises in connection with the saving of registers relating to the "trustworthiness" of the called program as perceived by the calling program. Trustworthiness includes two aspects, namely, whether the calling program (or actually the programmer) "trusts" the called program not to release information to other programs, which s a question of security of, the information provided to the called program, and whether it trusts the called program not to modify or sabotage the data made available to the called program. Similar problems also arise in connection with the trustworthiness of the calling program as perceived by the called program.